[v2,11/11] net/mlx5: enforce limitation on IPv6 next proto
Checks
Commit Message
Due to PRM requirement, the IPv6 header item 'proto' field, indicating
the next header protocol, should not be set as extension header.
This patch adds the relevant validation, and documents the limitation.
Signed-off-by: Dekel Peled <dekelp@nvidia.com>
---
doc/guides/nics/mlx5.rst | 7 +++++++
drivers/net/mlx5/mlx5_flow.c | 14 ++++++++++++--
2 files changed, 19 insertions(+), 2 deletions(-)
Comments
Hi
> -----Original Message-----
> From: Dekel Peled <dekelp@nvidia.com>
> Sent: Friday, October 2, 2020 12:15 AM
> Subject: [PATCH v2 11/11] net/mlx5: enforce limitation on IPv6 next proto
>
> Due to PRM requirement, the IPv6 header item 'proto' field, indicating
> the next header protocol, should not be set as extension header.
> This patch adds the relevant validation, and documents the limitation.
>
> Signed-off-by: Dekel Peled <dekelp@nvidia.com>
> ---
> doc/guides/nics/mlx5.rst | 7 +++++++
> drivers/net/mlx5/mlx5_flow.c | 14 ++++++++++++--
> 2 files changed, 19 insertions(+), 2 deletions(-)
>
> diff --git a/doc/guides/nics/mlx5.rst b/doc/guides/nics/mlx5.rst
> index 211c0c5..e6ca5e1 100644
> --- a/doc/guides/nics/mlx5.rst
> +++ b/doc/guides/nics/mlx5.rst
> @@ -311,6 +311,13 @@ Limitations
> for some NICs (such as ConnectX-6 Dx and BlueField 2).
> The capability bit ``scatter_fcs_w_decap_disable`` shows NIC support.
>
> +- IPv6 header item 'proto' field, indicating the next header protocol, should
> + not be set as extension header.
> + In case the next header is an extension header, it should not be specified in
> + IPv6 header item 'proto' field.
> + The last extension header item 'next header' field can specify the following
> + header protocol type.
> +
> Statistics
> ----------
>
> diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
> index 906741f..7a438cf 100644
> --- a/drivers/net/mlx5/mlx5_flow.c
> +++ b/drivers/net/mlx5/mlx5_flow.c
> @@ -1645,9 +1645,9 @@ struct mlx5_flow_tunnel_info {
> RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> "IPv6 cannot follow L2/VLAN layer "
> "which ether type is not IPv6");
> + if (mask && spec)
> + next_proto = mask->hdr.proto & spec->hdr.proto;
> if (item_flags & MLX5_FLOW_LAYER_IPV6_ENCAP) {
> - if (mask && spec)
> - next_proto = mask->hdr.proto & spec->hdr.proto;
> if (next_proto == IPPROTO_IPIP || next_proto ==
> IPPROTO_IPV6)
> return rte_flow_error_set(error, EINVAL,
>
> RTE_FLOW_ERROR_TYPE_ITEM,
> @@ -1655,6 +1655,16 @@ struct mlx5_flow_tunnel_info {
> "multiple tunnel "
> "not supported");
> }
> + if (next_proto == IPPROTO_HOPOPTS ||
> + next_proto == IPPROTO_ROUTING ||
> + next_proto == IPPROTO_FRAGMENT ||
> + next_proto == IPPROTO_ESP ||
> + next_proto == IPPROTO_AH ||
> + next_proto == IPPROTO_DSTOPTS)
> + return rte_flow_error_set(error, EINVAL,
> + RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> + "IPv6 proto (next header) should "
> + "not be set as extension header");
> if (item_flags & MLX5_FLOW_LAYER_IPIP)
> return rte_flow_error_set(error, EINVAL,
> RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> --
> 1.8.3.1
Acked-by: Ori Kam <orika@nvidia.com>
Thanks,
Ori
@@ -311,6 +311,13 @@ Limitations
for some NICs (such as ConnectX-6 Dx and BlueField 2).
The capability bit ``scatter_fcs_w_decap_disable`` shows NIC support.
+- IPv6 header item 'proto' field, indicating the next header protocol, should
+ not be set as extension header.
+ In case the next header is an extension header, it should not be specified in
+ IPv6 header item 'proto' field.
+ The last extension header item 'next header' field can specify the following
+ header protocol type.
+
Statistics
----------
@@ -1645,9 +1645,9 @@ struct mlx5_flow_tunnel_info {
RTE_FLOW_ERROR_TYPE_ITEM, item,
"IPv6 cannot follow L2/VLAN layer "
"which ether type is not IPv6");
+ if (mask && spec)
+ next_proto = mask->hdr.proto & spec->hdr.proto;
if (item_flags & MLX5_FLOW_LAYER_IPV6_ENCAP) {
- if (mask && spec)
- next_proto = mask->hdr.proto & spec->hdr.proto;
if (next_proto == IPPROTO_IPIP || next_proto == IPPROTO_IPV6)
return rte_flow_error_set(error, EINVAL,
RTE_FLOW_ERROR_TYPE_ITEM,
@@ -1655,6 +1655,16 @@ struct mlx5_flow_tunnel_info {
"multiple tunnel "
"not supported");
}
+ if (next_proto == IPPROTO_HOPOPTS ||
+ next_proto == IPPROTO_ROUTING ||
+ next_proto == IPPROTO_FRAGMENT ||
+ next_proto == IPPROTO_ESP ||
+ next_proto == IPPROTO_AH ||
+ next_proto == IPPROTO_DSTOPTS)
+ return rte_flow_error_set(error, EINVAL,
+ RTE_FLOW_ERROR_TYPE_ITEM, item,
+ "IPv6 proto (next header) should "
+ "not be set as extension header");
if (item_flags & MLX5_FLOW_LAYER_IPIP)
return rte_flow_error_set(error, EINVAL,
RTE_FLOW_ERROR_TYPE_ITEM, item,